Line 2: |
Line 2: |
| | | |
| ==Principles== | | ==Principles== |
− | # Never trust, always verify. | + | # Never trust, always verify.<ref>[https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture What is a Zero Trust Architecture, Palo Alto Networks]</ref> |
| # No assumptions about assets or user accounts based solely on their physical or network location or asset ownership. | | # No assumptions about assets or user accounts based solely on their physical or network location or asset ownership. |
| # Protect resources (assets, services, workflows, and network accounts), not network segments. | | # Protect resources (assets, services, workflows, and network accounts), not network segments. |
Line 23: |
Line 23: |
| :* the policy enforcement point (PEP) enables, terminates, and monitors connections between users and enterprise resources; and | | :* the policy enforcement point (PEP) enables, terminates, and monitors connections between users and enterprise resources; and |
| :* the policy administrator sends commands to the PEP based on policy engine decisions to allow or deny users’ connections to a requested resource.<ref>[https://www.ekransystem.com/en/blog/zero-trust-security-model Zero Trust Security Model, Ekran]</ref> | | :* the policy administrator sends commands to the PEP based on policy engine decisions to allow or deny users’ connections to a requested resource.<ref>[https://www.ekransystem.com/en/blog/zero-trust-security-model Zero Trust Security Model, Ekran]</ref> |
| + | |
| + | ===Pillars=== |
| + | The seven pillars in the DOD Zero Trust Architecture include:<ref>[https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf Zero Trust Reference Architecture V.1 Feb 2021, DOD, pgs 27-28]</ref> |
| + | ====User==== |
| + | Securing, limiting, and enforcing person, non-person, and federated entities’ access to DAAS encompasses the use of ICAM capabilities such as multi-factor authentication and continuous multi-factor authentication. |
| + | ====Device==== |
| + | The capacity to identify, authenticate, authorize, inventory, isolate, secure, remediate, and control all devices is essential. Real-time attestation |
| + | and patching of devices in an enterprise are critical. Possible options include Mobile Device Managers or Comply to Connect programs and assessments for every access request: examinations of compromise state, anomaly detection, software versions, protection status, and encryption enablement. |
| + | ====Network/Environment==== |
| + | logically and physically segment everything in order to isolate and control organizations with granular access and policy restrictions. |
| + | ====Applications/Workload==== |
| + | This category spans the complete application stack from the application layer to the hypervisor. |
| + | ====Data==== |
| + | Zero Trust protects critical DAAS. Thus, organizations must categorize their DAAS in terms of mission criticality. |
| + | ====Visibility & Analytics==== |
| + | Details are needed on performance, behavior, and activity baselines across other Zero Trust pillars to detect anomalous behavior and make dynamic changes to |
| + | security policy and real-time access decisions. |
| + | ====Automation & Orchestration==== |
| + | Enterprises needed to automate manual security processes to take policy-based actions fast and at scale. |
| | | |
| ==Advantages & Complications== | | ==Advantages & Complications== |